TL;DR
Google Threat Intelligence Group and Mandiant report renewed BRICKSTORM backdoor activity used to maintain long-term access in U.S. organizations, with notable targeting of legal, SaaS, BPO and technology firms. The actor places backdoors on network and virtualization appliances, achieves long dwell times, and Mandiant has published a scanner to help hunt for infections.
What happened
Google's Threat Intelligence Group, with Mandiant Consulting, has documented a campaign using the BRICKSTORM backdoor to secure persistent, stealthy access to organizations in the United States. Mandiant responded to intrusions since March 2025 across multiple industries, including legal services, SaaS providers, BPOs and technology firms. The actor favors installing backdoors on network and virtualization appliances that often fall outside traditional endpoint monitoring, enabling minimal security telemetry and an average dwell time of 393 days. Investigators found BRICKSTORM samples written in Go with SOCKS proxy capability, deployments on Linux and BSD appliances, and variants showing active development and obfuscation. In several intrusions the actor moved into VMware vCenter/ESXi environments, used an in-memory malicious Java Servlet filter (tracked as BRICKSTEAL) to harvest credentials, and cloned virtual machines to extract sensitive files. Mandiant has released a non-YARA scanner to help organizations hunt for BRICKSTORM indicators.
Why it matters
- Appliances and virtualization management layers can be blind spots for traditional security tools, allowing long, undetected intrusions.
- Credential harvesting on vCenter and cloning of VMs can expose domain and identity data critical to enterprise security.
- Sustained access to legal, SaaS and technology firms can yield espionage data and potential pivot points to downstream victims.
- Active development and stealth techniques (in-memory modifications, obfuscation, delayed beacons) increase the difficulty of detection and response.
Key facts
- GTIG and Mandiant are tracking renewed BRICKSTORM activity as of September 2025.
- Mandiant attributes the activity to UNC5221 and closely related suspected China-nexus clusters; GTIG does not currently equate UNC5221 with the actor publicly known as Silk Typhoon.
- Mandiant response engagements since March 2025 show victims in legal services, SaaS, BPO and technology sectors.
- Average dwell time observed for BRICKSTORM intrusions is 393 days.
- BRICKSTORM is written in Go, supports a SOCKS proxy, and has been found on Linux and BSD-based appliances; a Windows variant exists but was not observed in these investigations.
- Threat actor used in-memory modification to install a malicious Java Servlet filter (BRICKSTEAL) on vCenter’s Tomcat web interface to capture HTTP Basic auth credentials.
- Actors have cloned VMware virtual machines (including Domain Controllers and identity providers) to mount filesystems and extract data such as Active Directory databases.
- Mandiant observed evolving samples (obfuscation via Garble, custom wssoft library updates) and use of cloud-hosted services (Cloudflare Workers, Heroku) and dynamic DNS services (sslip.io, nip.io) for C2.
- Mandiant published a scanner script that mimics a YARA rule (G_APT_Backdoor_BRICKSTORM_3) and can run on *nix appliances without YARA installed.
What to watch next
- Download and run the Mandiant BRICKSTORM scanner from their GitHub to hunt for indicators on appliances and systems that lack EDR coverage.
- Reevaluate appliance and virtualization threat models, and conduct hunt exercises focused on network and edge appliances, vCenter and ESXi hosts.
- Monitor vCenter logs and web interfaces for signs of in-memory modifications or unexpected servlet filters that could capture credentials.
Quick glossary
- Backdoor: Malicious software or code that provides an attacker with unauthorized remote access to a system, often designed to evade detection.
- Command-and-control (C2): Infrastructure used by attackers to send commands to compromised systems and receive stolen data.
- VMware vCenter / ESXi: Management platform (vCenter) and hypervisor (ESXi) used to run and control virtual machines in enterprise environments.
- Zero-day: A previously unknown software vulnerability that is exploited by attackers before the vendor has released a patch.
- Multi-factor authentication (MFA): Security method requiring two or more verification factors to gain access, reducing risk from stolen credentials.
Reader FAQ
Who is believed to be operating BRICKSTORM?
Mandiant attributes the activity to UNC5221 and related suspected China-nexus clusters; GTIG does not currently equate UNC5221 with the actor publicly reported as Silk Typhoon.
Which industries have been targeted?
Investigations since March 2025 identified victims in legal services, SaaS providers, business process outsourcing and technology firms.
Has Mandiant provided tools to detect this malware?
Yes. Mandiant published a scanner script that replicates a BRICKSTORM YARA rule and can run on *nix-based appliances without YARA.
How many organizations were affected?
not confirmed in the source
Are there confirmed patches or vendor fixes available?
not confirmed in the source
Written by: Sarah Yoder, John Wolfram, Ashley Pearson, Doug Bienstock, Josh Madeley, Josh Murchie, Brad Slaybaugh, Matt Lin, Geoff Carstairs, Austin Larsen Introduction Google Threat Intelligence Group (GTIG) is tracking…
Sources
- Another BRICKSTORM: Stealthy Backdoor Enabling Espionage into Tech and Legal Sectors
- BRICKSTORM Backdoor
- Malware Analysis Report: BRICKSTORM Backdoor
- Google warns of Brickstorm backdoor targeting U.S. legal …
Related posts
- UNC6040 vishing attacks: Proactive hardening and detection for SaaS
- Oracle E-Business Suite Zero-Day Used in Large-Scale Extortion Campaign
- North Korea’s UNC5342 Uses EtherHiding to Deliver Malware via Blockchains